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EXACT SYNTHESIS OF SINGLE-QUBIT UNITARIES OVER 
CLIFFORD-CYCLOTOMIC GATE SETS 

SIMON F0REST1’2 , DAVID GOSSET^-S-^ , VADYM KLIUCHNIKOV^’^.e ^ AND DAVID MCKINNON^ 


Abstract. We generalize an efficient exact synthesis algorithm for single-qubit unitaries 
over the Clifford-|-T gate set which was presented by Kliuchnikov, Maslov and Mosca. Their 
algorithm takes as iirput an exactly synthesizable single-qubit unitary-one which can be 
expressed without error as a product of Clifford and T gates-and outputs a sequence of gates 
which implements it. The algorithm is optimal in the sense that the length of the sequence, 
measured by the number of T gates, is smallest possible. In this paper, for each positive 
even integer n we consider the “Clifford-cyclotomic” gate set consisting of the Clifford group 
plus a z-rotation by We present an efficient exact synthesis algorithm which outputs a 
decomposition using the minimum number of ^ z-rotations. For the Clifford+T case n = 4 
the group of exactly synthesizable unitaries was shown to be equal to the group of unitaries 
with entries over the ring Z[eU^ 1/2]. We prove that this characterization holds for a handful 
of other small values of n but the fraction of positive even integers for which it fails to hold 
is 100%. 


1. Introduction 

It is often convenient to design qnantnm algorithms nsing a gate set which inclndes all 
single-qnbit nnitaries. This is jnstihed by the Solovay-Kitaev Theorem which says that any 
single-qnbit nnitary can be approximated with error at most e nsing a seqnence of polylog(i) 
gates from any hnite nniversal gate set [7]. Moreover, the Theorem directly provides an 
efficient algorithm to compnte snch a seqnence. 

However, it is known that the decomposition of a single-qnbit gate nsing the Solovay- 
Kitaev algorithm can nse more gates than is asymptotically necessary. With this approach, 
the length of the seqnence of gates nsed to approximate a given nnitary to within error e 
is O (log*^ (i)) where c is a constant approximately eqnal to 4 [7]. In contrast a connting 
argnment provides a lower bonnd of H (log ( 7 )), and nniversal gate sets where the shortest 
possible decomposition achieves this lower bonnd are known [12, 17, 18]. In fact this lower 
bonnd is achieved for all nniversal gate sets with algebraic entries [5]. Despite this, for many 
years it was an open qnestion to hnd an efficient algorithm which, for some nniversal gate 
set, decomposes nnitaries nsing gate seqnences of length O (log ( 7 )). 

Recently a new efficient algorithm was introdnced which achieves this for the gate set 
consisting of the Clifford gronp C plus the T = diag(l, 0 * 4 ) gate [14, 23]. In order to describe 
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the algorithm it will be convenient to dehne the group 

G4 = {C,T) 

of exactly synthesizable unitaries-those which can be expressed without error as a product 
of Clifford and T gates. (Here the subscript 4 indicates that we adjoin a 7r/4 2 ;-rotation to 
the Clifford group.) The algorithm is based on the following three ingredients 

(a) Efficient and optimal exact synthesis algorithm [14] An efficient algorithm 
which takes as input a unitary U E and outputs a sequence of Clifford and T gates 
which implements it. The algorithm is optimal in the sense that the number of T 
gates in the decomposition is the smallest achievable in any decomposition of U. 


(b) Number-theoretic characterization of exactly synthesizable unitaries [14] 
The group of exactly synthesizable unitaries is equal to the group of 2 x 2 unitaries 
with entries in the ring R 4 = Z[e* 4 ,1/2]. In other words, we have ^4 = f/ 2 (R 4 ) where 

U2{Ra) = {Ue U{2) : U,, e Z[e*t, 1/2]}. 

(In reference [14] the result is stated in terms of the ring Z[h ■^], which is equal to 
Z[e*t,l/2]). 


(c) Efficient rounding algorithm [23] An efficient^ algorithm which takes as input any 
single-qubit unitary V and a desired precision e and outputs a unitary V G U2(Ri) 
which approximates V within error e. 

These ingredients are put together in the following way in order to decompose a given uni¬ 
tary V. One first uses the rounding algorithm (c) to obtain V G U 2 (R. 4 ) which approximates 
V within error e. The number-theoretic characterization (b) says that f/ 2 (R 4 ) = Q 4 and so V 
is exactly synthesizable. One can therefore use the exact synthesis algorithm (a) to obtain 
an optimal decomposition of R as a product of Clifford and T gates. The resulting decom¬ 
position approximates V within error e. It is shown in reference [23] that this algorithm 
outputs decompositions with length scaling optimally as O (log (1)). Thus it is an optimal 
improvement over Solovay-Kitaev for the Clifford-|-T gate set. Similar machinery has since 
been developed for a few other gate sets [3, 13, 4], but each new one seems to pose unique 
challenges and there is no general theory. 

In this work we consider an infinite family of single-qubit gate sets which includes Clif- 
ford-l-T as a special case. For each even n, we define the “Clifford-cyclotomic” gate set which 
consists of the Clifford group plus 


U^{TT/n) 


1 0 


e n 


We refer to the group of unitaries which is generated by these gates as the Clifford-cyclotomic 
group Qn- Throughout this paper we consider the case where n is even. One could also define 
the groups Qn for odd n, but it is easy to see that if n is odd then Qn = G 2 n- In this sense 
the odd values of n are redundant. 

Unitaries from Clifford-cyclotomic gate sets appear in a variety of contexts in quantum 
computation, often in the special case where n is a power of 2 (e.g., in the Clifford hierarchy 


^Strictly speaking the algorithm is not proven to be efficient; its efficiency follows from a number-theoretic 
conjecture. 
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[10], classifying transversal gates for stabilizer codes [2], and Shor’s algorithm [26]). Recently 
some anthors have proposed state distillation protocols which can be used to implement 
Uz{n/2^) fault-tolerantly [15, 8]. 

We are interested in whether or not the three ingredients (a), (b), and (c) described 
above for Clifford+T (the case n = 4) can be generalized to Clifford-cyclotomic gate sets 
corresponding to other values of n. Our hrst result is a generalization of (a): 

(A) For each positive even integer n, we describe an efficient exact synthesis algorithm which 
takes as input a unitary U E Qn and outputs a sequence of Cliffords and Uzin/n) gates 
which implements 17 up to a global phase. The sequence computed by our algorithm 
uses the minimum possible number of [/^(Tr/n) gates. 

Our exact synthesis algorithm follows a general strategy used in reference [9] for the Clif- 
ford+T case. We hrst show that every U E Qn admits a certain canonical form as a product 
of generators. We then look at the Bloch sphere representation of U, which is an SO(3) ma¬ 
trix. Using basic facts from algebraic number theory we show how the entries of this matrix 
contain information about the canonical form of 17-and we describe how it can be recovered 
efficiently using this information. 

Our approach is closely related to a previous body of work studying discrete rotation groups 
which we believe may hnd further applications in quantum circuit synthesis [20, 21, 6]. The 
mapping from single-qubit unitaries to rotations of the Bloch sphere sends Qn to a two- 
generator discrete subgroup of SO(3) of the kind studied in [20]. Whereas references [20, 21] 
are concerned with characterizing the relations in such groups, our goal here is to obtain an 
explicit decomposition algorithm. However we use many of the same ideas and techniques as 
reference [20] and our algorithm can be viewed as an application and extension of that work. 

Our second result is a partial generalization of (b): 

(B) Let = Z[e*", 1/2] and f/ 2 (Rn) be the group of all 2 x 2 unitaries with entries in this 
ring. We prove that Qn = f^ 2 (Rn) for n = 2,4, 6, 8,12 but that this equality holds for a 
fraction of positive even integers equal to zero. 

Thus, for values of n where Qn 7^ U 2 (Rn), the analogue of (b) is false, which is an obstacle 
to directly generalizing the algorithm described above (in the Clifford-|-T case) to these gate 
sets. 

To establish (B) we again use tools from algebraic number theory. To prove that Qn = 
h^ 2 (Rn) for n = 2,4, 6, 8,12 we analytically reduce the problem to checking whether a certain 
equation can be satished and then we use an exhaustive computer search to con&m this. 
To prove the second part, we consider the subgroups of ^-rotations in Qn and t/ 2 (Rn)- We 
establish a condition which characterizes when these subgroups are equal, and we show 
that this condition is violated for almost all positive even integers, in the sense that as N 
approaches inhnity, the number of integers in {2,4 ,... ,N} satisfying the condition is o{N) 
(see Corollary 5.5). 

We leave the question of generalizing (c) as a direction for future work. 

The remainder of this paper is organized as follows. Section 2 contains dehnitions and basic 
properties of the objects studied in this paper. In Section 3 we describe a canonical form 
for unitaries in Clifford-cyclotomic groups. Our optimal exact synthesis algorithm, given in 
Section 4, is based on this canonical form. In Section 5 we consider the question of when Qn 
is equal to f/ 2 (Rn)- The remaining three Sections (Section 6, Section 7, and Section 8) are 
devoted to proving our results. Appendix A is a glossary which contains dehnitions and facts 
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from algebraic number theory. The hrst hve Sections of this paper can be understood using 
only the basic algebraic number theory which is reviewed in this glossary. 


2. ClIFFORD-CYCLOTOMIC gate SETS 


In this Section we dehne the single-qubit Clifford group, Clifford-cyclotomic gate sets, and 
the Clifford-cyclotomic groups generated by them. We dehne a notion of optimality for a 
decomposition of a given unitary over one of these gate sets. Finally, we describe the image 
of the Clifford-cyclotomic groups under the standard mapping from single-qubit unitaries to 
rotations of the Bloch sphere. 


2.1. The single-qubit Clifford group. The single-qubit Pauli operators are 


X = 



V 


0 -i \ 
i 0 ) 


Z 



The single-qubit Clifford group C is a group of 2 x 2 unitaries which map each Pauli 
to another Pauli under coniugation up to a possible minus sign, i.e., for each C E C and 
P e {X, Y, Z} we have 

( 1 ) CPC^ = ±P 


for some P G {X, Y, Z}. Moreover, any single-qubit unitary with this property is an element 
of C multiplied by some global phase e*'^. 

There are different choices one can make in dehning the Clifford group since the conditions 
described in the previous paragraph only uniquely specify the quotient group of C modulo 
its center (i.e., they specify C modulo its subgroup of global phases, unitaries proportional 
to the identity). Here we dehne the single-qubit Clifford group C = {Hq, S) using generators 


( 2 ) 



1+i 1+i \ 

l + i -1-t ) 



This convention differs from the usual choice, which uses generators S and the Hadamard 
matrix H = Cs^Hq (here and throughout the paper we write (m = for an mth root of 
unity); however, since overall global phases are unimportant in quantum computation, the 
dehnition used here is operationally equivalent. We shall later prove that, with our dehnition, 
a 2 X 2 unitary is an element of C if and only if it has matrix elements from the ring Z[i, f]. 


2 .2. Clifford-cyclotomic gate sets. A Clifford-cyclotomic gate set is obtained by adjoining 
a vr/n z-rotation to the Clifford group. For each n G {2,4,6,...} we dehne the Clihord- 
cyclotomic group generated by this gate set 


(3) 

where 

(4) 


UM = 


1 0 
0 e 


Qn = {C, (tt/u)) 


1 - e 


ie 


Z. 


Note that each generator, and therefore every unitary in Qn, has matrix elements over a 
subring C C of the complex numbers given by 

R-n = Z [C,2n, 1/2] 

(note that Ms a power of C 2 n since n is even). 
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Although ultimately our goal is to compute decompositions of a given unitary using the 
generating set (3), it will sometimes be convenient to use other generating sets for Q^- Since 
n is even we have S = Uz{'n'/2) = {U and so 

(5) gn = {Ho,U,{'ii/n)). 


While this generating set and (3) both appear to single out the 2 ;-axis, we now define another 
generating set which does not have this property. For any p G {x, y, z} let P G {X, Y, Z} be 
the corresponding Pauli operator and define 


u±pie) = 


/I + 


± 



p. 


Then U±p{6) = CUz{0)C'^ where C is a Clifford satisfying CZC'*' = ±P. So Qn also contains 
U±p{'K/n) G Qn for all p G {x,y,z}. A more symmetric generating set for is then 

(6) Gn = (C, P±x (t/r) , U±y (vr/n), (vr/n)). 


2.3. Optimal decomposition. We say that a decomposition of a unitary over a Clifford- 
cyclotomic gate set is optimal if it uses the minimum number of vr/n z-rotations. 

Consider a product of Clifford gates and 2 ;-rotations which is equal to some unitary U up 
to a global phase, i.e., an expression 

(7) = CiU/n)C2U:,{s2'n/n )... CiU/n)Ci+i. 

where Ci G C for i G {!,...,/ + !}. The cost of such an expression is considered to be the 
number of non-Clifford generators used, i.e., For any U G we know there exists 

such an expression with 0 = 0. We define Tn{U) to be the minimal cost among all such 
expressions (allowing any value of 0). 

Definition 2.1. For any U E Qn define Tn{U) to be the minimal number ofUz{'x/n) gates 
required to implement U (up to a possible global phase), i.e., the minimum value ofJ2i=i 
achievable in any expression of the form (7). If a sequence of gates of the form (7) achieves 
this minimum then it is said to be an optimal decomposition ofU. 

As an example which will be useful to us later on, consider decomposing the gates U±p{a’n/n), 
where 1 < a < |. Note that 

Tn {U±p{a'K/n)) < a 

since U±p{a7i/n) is equal to CUz{a'ir/n)C'^ for some Clifford C. Using equation (13) and the 
fact that UpiTi/2) is Clifford, we see that Tn {U±p{a’n/n)) < {n/2 — a) and therefore 

Tl 

(8) Tn{U±p{a7r/n)) < mm{a,n/2 — a) l<a< — 

Unsurprisingly, equality holds in the above equation (this follows from more general results 
we present later). 


2.4. Bloch sphere representation. It is well known that, modulo global phases, single¬ 
qubit unitaries can be viewed as rotations of the Bloch sphere. In this way the group Qn is 
mapped to a subgroup of SO(3). 

A unitary is mapped to a rotation matrix in the following way. Any traceless Hermhian 
2x2 matrix can be written as a linear combination of the Pauli matrices with real coefficients. 
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Using this fact we can see that any 2x2 unitary matrix V can be associated with a 3 x 3 
rotation matrix V dehned by 

(9) VPV^ = P€{X,Y,Z}, 

P&{X,Y,Z} 


where the rows and columns of V are indexed by the Pauli matrices. One can easily verify 
that the map U —)■ U is a homomorphism from U(2) to SO(3) which identihes unitaries that 
differ by a global phase. 

We write C and Qn for the images of C and Qn respectively. 

The finite group C consists of all signed permutation matrices with determinant 1. We use 
a slightly overloaded terminogy whereby we refer to elements of C as well as elements of C as 
Cliffords; however, it will always be clear from the context which case we are in. 

The unitaries Ux{n/n),Uy{7i/n) and Uzix/n) map to rotations about the x,y and 2 ;-axes 
which we denote by Rx, Ry and Rz respectively (suppressing the dependence on n for nota- 
tional convenience). Explicitly, we have 


1 0 0 
Rx = \ 0 cosvr/n sin7r/n 
0 — sin7r/n cosvr/n 

cosvr/n sin7r/n 0 
Rz = I —sinvr/n cos7r/n 0 
0 0 1 


Ry = 


cos7r/n 0 — sinvr/n 
0 1 0 

sinvr/n 0 cosvr/n 


In fact, the group Qn is a discrete two-generator subgroup of SO(3) of the type studied in 
reference [20]: it is generated by two rational-angle rotations about orthogonal axes. This 
follows from (5) which implies that Qn is generated by Rz and R^ (since Hq = Rx^'^). 


3. Canonigal form 

In this Section we describe a canonical form for unitaries in Qn- This canonical form 
expresses a unitary as a product of gates from the generating set (6). We will later show 
that each unitary admits only one such canonical form (it is unique), and we will give an 
efficient algorithm to compute it. Other unique canonical forms as well as a complete set of 
relations for the groups Qn have previously been established in reference [20] using similar 
techniques. We believe it should be possible to obtain an exact synthesis algorithm along the 
lines of what we achieve using one of these other canonical forms. We use the canonical form 
presented below because it directly generalizes one from [9] which was our starting point for 
the current work. 

We shall use the following simple identities involving the generators (6). The vr/n rotation 
about the x,y or z axis gives a Clifford matrix when raised to the n/2th power: 

(10) (f/p(vr/n))’"/^ = Up{7i/2) eC P e {x,y, z}. 

Because Cliffords map Paulis to Paulis under conjugation (up to ±1), we also have “pseudo¬ 
commutation” relations 

CUp{a7i/n) = U±pi{a7i/n)C C &C, p,p' G {x,y,z}. 


( 11 ) 
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This relation allows us to move a Clifford past Up{a7i/n) by updating the subscript. Finally, 
note that 


(12) Up{a7r/n)U_p{a7i/n) = 
which implies 

71/ 

(13) Up{aTr/n) = C2nUp{Tr/2)U-p{bTr/n) b = - - a. 

The following decomposition follows from the above identities, and generalizes one given 
in [9] for the Clifford+T case. 


Lemma 3.1. Suppose U G Qn- Then there exists a decomposition 

Up^{ai'K/n^ D 

for some nonnegative integer m, rotation axes pi,... G {x,y,z} satisfying pi ^ Pi+i, a 
matrix D egual to a global phase times a Clifford (i.e., e^^D G C for some 0 G and integers 

1 < Oi < f. 


(14) 


n 


V 2 = 1 


Proof: We shall prove a slightly stronger result, namely, that such a decomposition exists 
satisfying 


(15) 


^miii(ai,n/2 - a,) ^Tn[U). 


2 = 1 


Let U G be given. By definition there exists an optimal decomposition of U of the form 
(7). Letting Mj = C 1 C 2 ■ ■ - Cj we can then rewrite (7) as 

(16) = (MiU,{sni/n)Mf) ln)M^) ... 


(17) 


X\U^_i)nfXsiT^/n) Mi+i 


N2=1 


where Uj G {0,1}, /* G {x,y,z}, and, since we started from an optimal decomposition 


i 


(18) 


T„{U) = 


= 2^‘>i 
2=1 


Suppose there exists some i in (17) where f = f+i. If this happens then it must be the 
case that Uj = rj+i. To see this, note that if instead Uj 7 ^ Uj+i then the product of the two 
associated terms 

is proportional to U±f.{\si — Sj+i| 7 r/n) for some choice of sign (which can be seen using ( 12 )). 
Using this fact and equation ( 8 ) we see from (17) that Tn{U) < X]!=i which contradicts 

(18) . Having reached a contradiction we conclude that Uj = Uj+i if /j = /j+i. 

We can combine any consecutive terms in (17) which satisfy fi = f+i, using the fact that 

(19) Up{e,)Up{e2) = Up{e, + e2). 
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Combining terms in this way we obtain an expression of the form 

(20) e*U = j M 

where gi 7 ^ gi+i, k e {0,1}, M eC, and 

I m 

(21) r„(t;) = ^s. = ^7. 

i=l i=l 

(the second equality follows because we used equation (19) to combine terms). 

Using ( 8 ) we see (21) implies 7 * < | for all i. The decomposition (20) is almost of the 
desired form, the only difference arising from the possibility that 7 ^ 0. We now describe a 
procedure which gets rid of the minus signs and transforms a decomposition of the form ( 20 ) 
into one of the form (14). Each of the integers a* appearing in the resulting decomposition 
(20) will be equal to either 7 ^ or k* = | — 7 *. Thus (15) will be satished due to (21). The 
rotation axes pi in the resulting decomposition may be different from the gi appearing in 
(20), and likewise the matrix D will in general be different from M. 

To complete the proof we describe this procedure. Let j G {1,... ,m} be minimal such 
that bj = 1 in (20). Equation (13) shows 

U-9,hjTr/n) = QlUJg.{KjTi/n)C 

where C G C is a Clifford diagonal in the Pauli ^fj-basis. We start by replacing U-g.{'yj'ir/n) 
in (20) with the right hand side of this equation. Then, by repeatedly using the pseudocom¬ 
mutation relation (11), we move the Clifford C to the far right hand side of the expression, 
redehning M <(— and updating the rotation axes gs and the signs hg for s > j. It is 

not hard to see that the condition g^ 7 ^ will still hold (for all i) after this update (to see 
this, use the fact that [CAC^^^CBC^^] = 0 implies [A,B] = 0). After rearranging (20) in this 
way we have replaced —gj with gj so we ensure 6 * = 0 for all i < j. We may now repeat this 
step until, after at most m iterations, we obtain an expression where 6 * = 0 for all i < m. n, 

4. Optimal exact synthesis 

The purpose of this Section is to describe our exact synthesis algorithm for Clifford- 
cyclotomic gate sets. Our work can be viewed as an algorithmic version of the techniques 
presented in reference [ 20 ]. 

We use the fact, established below, that the entries of the Bloch sphere representation f/ of a 
unitary U ^ Qn provide information about parameters of the canonical form from Lemma 3.1. 
Using this relationship we obtain an algorithm which efficiently recovers the canonical form. 
As we will see, the canonical form can then be straightforwardly transformed into an optimal 
decomposition over the gate set (3). 

We will need to use the dehnition of an algebraic integer as well as the notion of divisibil¬ 
ity of algebraic integers. We reproduce these dehnitions from the algebraic number theory 
glossary given in Appendix A. 

Definition A.l. A complex number c is said to be an algebraic number iff there is a nonzero 
polynomial f{x) with coefficients in Q such that /(c) = 0. The number c is said to be an 
algebraic integer iff the polynomial f{x) can be chosen to have integer coefficients and leading 
coefficient one (i.e., f{x) is monic). 
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Definition A.2. Let b and c be algebraic integers. We say that b is divisible by c iff c is 
nonzero and bjc is also an algebraic integer. 


To understand how algebraic integers will be useful to us, consider the ath power of the 
matrix 

cos7ra/n simra/n 0 
Rt = I —simra/n cosira/n 0 
0 0 1 


We suppose 1 < a < f and we now list some properties of this matrix. Our aim is to provide 
some feeling for what’s to come-at this point the reader is not expected to be able to derive 
these properties (they follow from our more general Theorem given below). 

The only nonzero entry of Rf which is an algebraic integer is the 1 in the bottom right. 
However, there is an algebraic integer jS (depending only on n) such that each of the other 
seemingly innocuous nonzero entries of this matrix can be rewritten as a quotient 


w/(3'^°' 


where w is an algebraic integer not divisible by /3, and qa (“the denominator exponent”) 
is a nonnegative integer which depends on a. Since 1 is an algebraic integer, we say that 
its denominator exponent is zero. The pattern of denominator exponents which appears in 
the matrix Rf can therefore be described as follows. There are two rows where the largest 
denominator exponent appearing in the row is equal to Qa. These are the hrst two rows, those 
labeled x and y. The third row, labeled z, has largest denominator exponent equal to 0. 

For example, consider the case n = 12, with jS = 2cos(7r/4) = \/2- The matrix R^ can be 
written as: 


Rz 


/ 

V 


\/ 2-\/3 

2 


2 _ 

\/2-F3 

2 


0 


0 ^ 

0 

1 


It turns out that ■\/2 ± \/3 is an algebraic integer that is not divisible by \/2, and that Qa = 2, 
so that the four entries in the top left of this matrix have the required form of for 

some w not divisible by (3. The largest denominator exponent appearing the hrst two rows 
is Qaj as desired, and the denominator exponents in the last row are all zero. 

This pattern is the same for R\, but we see a slightly different situation for Rf. 



In this case ga = 1, which is rehected by the denominators of \/2. But although qa has 
changed, the denominator exponents in the hrst two rows are still g^, and the denominator 
exponents in the last row are still zero. 

Now consider a general element of Qn- Lemma 3.1 directly implies that the Bloch sphere 
representation oi U E Qn can be decomposed as: 


(22) 


D 
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with D E C and parameters m, a^, and pi satisfying the conditions described in the Lemma 
(they are the same parameters appearing in the decomposition of U). We considered the 
special case above and discussed how its denominator exponent pattern is related to a. 
The following Theorem describes how the denominator exponent pattern of U is related to 
the parameters m, Oj, and Pi. 

The statement of the Theorem refers to divisibility and coprimality of algebraic integers. 
In this Section we will not need to use the portions of the Theorem having to do with 
coprimality, so we have not reproduced its dehnition here. (We refer the interested reader to 
Appendix A; here we are working in the fraction held of T„ = R^flM and its ring of integers.) 
Let n = 2^s with k > 1 and odd s. Dehne 

(23) /3 = U 

\2cos(^) 

Note that qa > 0 whenever 1 < a < |. 

Theorem 4.1 (Denominator exponent pattern). Let U E Qn and consider its Bloch 
sphere representation U. Suppose U ^ C, and let {ai ,..., Om} and {pi,... ,Pm} be the pa¬ 
rameters from a decomposition of U of the form given in Lemma 3.1. Let N = 

Then 

(a) Each nonzero entry ofU can be written as a quotient w/j3'~, where r is a nonnegative 
integer and w is an algebraic integer that is not divisible by fd. 

(b) The maximum such r which appears in any entry of U is N. Exactly two rows of U 
contain an entry of the form w/(3^, with w coprime to fd. 

(c) There is exactly one row of U that does not contain an entry of the form w/(d^. The 
maximum value ofr appearing in that row is N — qa^; it contains an entry of the form 
w/(d^~'i°-i where w is coprime to (d. If it is the ith row, then pi is the ith entry in the 
list {x, y, z}. 

Similar observations about the entries of rotation matrices were used in the proofs given 
in reference [20] (specihcally, in the text after Lemma 3); the above Theorem can be viewed 
as a version of these observations which is suited to our purpose here, which is to develop an 
algorithm. A proof of Theorem 4.1 is presented in Section 6. 

We now show that the pattern of denominator exponents can be used to infer the decompo¬ 
sition from Lemma 3.1, which implies that it is unique. We give an algorithmic proof of this 
fact, that is, our proof directly provides an efficient algorithm to compute the decomposition. 

Corollary 4.2. Eor any U E Qn the decomposition from Lemma 3.1 is unique. Moreoever, 
it satisfies 

m 

(24) y^mm{ai,n/2 - aj) = TnjU). 

i=l 

Proof: The proof of Lemma 3.1 given in Section 3 establishes that there exists a decompo¬ 
sition satisfying (24). So to prove the claim we need only show that the decomposition is 
unique. To this end, it is sufficient to show that the parameters pi and oi are uniquely deter¬ 
mined by U, since, by induction, pi,... ,pm and Oi,..., are then also uniquely determined. 


, if /c = 1 
, if A; > 2 


Qa = 



2k-j ^ if 


gcd(a,n) 

, otherwise. 


= 2 ^ 
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and 

(25) 


D = 


Y[Up^{aiTT/n) 


V 2 = 1 


U. 


Consider the set of matrices 


R-^U 


where q E {x, y, z} and 1 < 5 < |. We have Rq° = 
depends on q). Using this fact and equation (22) we 


(26) 


R-’^U 


C 




= 




jj{ai—b) y-rm -Qai 

-^Pl 1 li=2 ^Pi 


c R 


,(ai-rf-b) 


Lpi 


D 


D 


ir=2R%]D 


n _L 

CRq for some Clifford C E C (which 
get 

if g 7^ Pi 

if g = Pi and b = ai 
if g = Pi and Oi — 6 > 0 
if g = Pi and Oi — 6 < 0 


Now Theorem 4.1 implies that each nonzero entry of R~^U can be written ^ where w is not 
divisible by (3 and r is the denominator exponent. Let rmax(^, q) be the maximum denominator 
exponent r which appears in an entry of R~^U. Now look at equation (26) and apply the 
Theorem, keeping in mind that in two of the cases left-multiplication by a Clifford C permutes 
the entries and multiplies some of them by minus signs, and thus does not alter the set of 
denominator exponents which appear in the matrix. We see that rmax(^, <?) > Fmax(ai,pi) 
whenever (6, g) ^ (ai,pi). Thus Oi and pi are uniquely determined by U, which completes 
the proof. A 

The above proof directly gives the following algorithm, which takes as input a unitary 
U E Qn and outputs the parameters m, pi,... ,pm and oi,..., and D which appear in the 
decomposition from Lemma 3.1. 


Algorithm to compute the canonical form 

1 Compute the Bloch sphere representation U and let M <(— f/ and i •(— 1. 

2 For each g E {x,y,z} and 1 < b < |, compute the maximum denominator exponent 
r' ma x(g, b) which appears in an entry of R~^M. Determine the values g*, b* for which 
Fmax(g, b) is minimal. 

3 Set Pi E- g* and a* <(— b* and set M E- R~°‘^M. If M is a signed permutation matrix 
then let m ^ i and skip to step 4. Otherwise set i •(— i -|- 1 and return to step 2. 

4 Compute D using (25). 


The exact synthesis task we are interested in is to efficiently obtain an optimal decompo¬ 
sition of U (up to a global phase) as a product of Clifford and Uz{TT/n) gates. The canonical 
form computed by the above algorithm can be straightforwardly (and efficiently) converted 
into such a decomposition. We replace each gate Up^{ai^T/n) with a product of Clifford and 
Uz{n/n) gates which is equal to it (up to a global phase). Since the canonical form satishes 
(24), we are guaranteed that the resulting decomposition of U will be optimal as long as we 
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use min(aj, | — a*) non-Clifford gates Uzin/n) to implement Up.{aiTT/n) . We showed how to 
achieve this in Section 2.3. 

This algorithm requires testing an algebraic integer for divisibility by f3. We assume that 
the algebraic integers are given in terms of an integral basis of R„, in which case the divisibility 
test is straightforward and efficient. In particular, it can be done in polynomial time in terms 
of the bit length of the integers. For example, let x and y be two elements of Z[C 2 n]- To see 
if X is divisible by ?/, hrst compute the set of Galois conjugates of y. This is easy, since the 
Galois group of Q(C 2 n) over Q acts by permutations on the 2nth roots of unity. Multiply all 
of the nontrivial conjugates of y together to obtain 7 G '^[C 2 n], and multiply x by 7 . Clearly 
X is divisible by y if and only if xy is divisible by i? = 1/7 ... but i? G Z, so x is divisible by 
y if and only if every coefficient of xy in its integral basis representation is divisible by B. 

5. For which n is Qn equal to the group of 2 x 2 unitary matrices with 

ENTRIES IN THE RING R„? 

Since every element of Qn has matrix elements in the ring R„, Qn is a subgroup of 

U^iRn) = {Ve U{2) : G R4, 

the group of all 2 x 2 unitaries with entries in this ring. We know of no reason to expect that 
1 / 2 (Rn) is equal to Qn- Nevertheless, it was shown in reference [14] that ^4 = 1 / 2 (R 4 ). This 
characterization was used in an essential way in the algorithm for approximating single-qubit 
unitaries over the Clifford-I-T gate set [23]. Serre has shown that equality holds for n = 4, 8 
and does not hold when n = 2^ with k > A [24]. In this Section we address the question of 
whether such an equality holds for other values of n. For n where this holds one can hope to 
extend the approximation strategy used for the Clifford-|-T gate set. 

Our hrst result is positive-we prove that equality holds for some small values of n. 

Theorem 5.1. For n = 2,4, 6 , 8 ,12 we have Qn = f/ 2 (Rn)- 

The proof of this Theorem is presented in Section 7. The Theorem was previously known 
to hold in the cases n = A [24, 14], n = 6 [24, 4], and n = 8 [24] so the result is new only for 
n = 2 and 12 . 

In the remainder of this Section we show that equality does not hold generically. To prove 
this we consider the subgroup of z-axis rotations in Qn, and the corresponding subgroup in 
R 2 (Rn). 

Dn = {UM : UM G Qn} An = {U^ I G 172(R„)}. 

Of course, if Qn is equal to 7/2 (Rn) then these subgroups are equal as well. We characterize 
exactly those values of n for which Dn equals A„. 

We hrst show that Qn only contains 2 ;-rotations by angles which are multiples of Tr/n. 

Theorem 5.2. The subgroup of z-axis rotations in Qn is 

(27) Dn = {Uzi'xj/n) : 0 < j < 2n - 1}. 

Proof: Let Uz{9) G Qn be given, and consider the parameters m, {pi}, {oj}, and D from the 
canonical form of this unitary specihed in Lemma 3.1. 

First suppose m = 0. In this case Uz{9) is proportional to a Clihord. The only ^-rotations 
proportional to Clihords are 

(28) {f/,(0), 77,(4, 77,(42), 77,(37r/2)}. 
and all of these unitaries are included in the set (27). 
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Next suppose m > 1. To understand this case we use Theorem 4.1. The matrix Uz{0) has 
Bloch sphere representation 


( cos 6 ' sin 0 0 \ 

— sin 9 cos 6 * 0 1 . 

0 0 i; 

In particular, its bottom right entry is equal to 1. Since Uz{9) has a denominator exponent 
r = 0 corresponding to its bottom right entry, looking at part (c) of Theorem 4.1 we see that 
it must be the case that N = qa^, m = 1, and pi = z so that N — qa^ = 0. In other words 


(29) Uzie) = Uz{a,7i/n)D 

for some Oi G {1,..., | — 1} and D equal to a Clifford up to a global phase. Noting that D 
is a ^-rotation (since D = Uz{9 — aivr/n)), we conclude that it is in the set (28). Using this 
fact and equation (29) we see that UziO) is a power of f 4 ( 7 r/n), which completes the proof. 

* 

Now we turn our attention to A„. From the definition of f/ 2 (Rn) it is clear that Uz{9) G 
U2(Rn) if and only if e*® G Rn- In other words, to characterize the group we have to 
understand which complex phases e*® are in the ring R„ 

We prove the following Theorem in Section 8 , using a technique due to Shastri [25]. 


Theorem 5.3. Factor n = 2^s, where s is odd, and suppose that there is some positive 
integer t such that 2* = —1 (mod s). Then the set 

S' = {r G Rn : |f| = 1} 

of elements o/Rn with complex absolute value 1 is equal to the set of roots of unity in Q(C 2 n), 
that is, 

(30) ^ = {e^ :jG{0,...,2n-l}} 


Conversely, if there is no such positive integer t, then the set S contains an element of infinite 
order. 


Note that if S contains an element of inhnite order then A„ contains a matrix of inhnite 
order and therefore is not equal to D^- 

Corollary 5.4. Factor n = 2^s, where s is odd, and suppose that there is some positive inte¬ 
ger t such that 2 * = — 1 (mod s). Then A„ = Dn, and is given by equation (27). Conversely, 
if there is no such positive integer t, then A„ is an infinite group and Gn 7 ^ t/ 2 (R„). 

To conclude this Section, we now show that almost all even integers do not satisfy the 
condition in the statement above. This presents an obstacle to generalizing the results of 
reference [23] to all Clifford-cyclotomic gate sets. 

Corollary 5.5. For each positive even integer N let 

f^ = ^\{ne{2,4,...,N}-.gr, = f/2(Rn)}| 

^The question of identifying the nontrivial phases in the ring R„ is equivalent to determining the rank of 
the group of S-integral points on the unit circle for cyclotomic fields and S equal to the set of places lying 
over 2. The general question of computing the ranks of such curves for arbitrary fields and sets of places was 
raised in [16], at the end of section 2.3. 
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be the fraction of even integers n between 1 and N for which Qn = ^ 2 (Rn)- Then /at —)■ 0 as 
N —)■ oo. 


Proof: Let be the fraction of integers n G {1,2,., N} (even and odd) for which the 

condition from Corollary 5.4 is satished, i.e.. 


S^Af = ^ [{’I- G {1, 2,..., N} : n = 2^s with s odd, and 3 t > 0 s.t 2* = —1 (mod s)} 


We shall prove that ^ 0 as N oo, which in particular implies that the fraction of even 
integers n G {2, 4,..., iV} satisfying the condition from Corollary 5.4 also approaches zero as 
N ^ oo. Using Corollary 5.4 this implies that /at —)■ 0 as well. 

If p is a prime congruent to 7 modulo 8, then 2 is a perfect square modulo p, but —1 is not 
a square modulo p, and so —1 cannot be a power of 2 modulo p. If n is a multiple of a prime 
p congruent to 7 modulo 8, then by reducing modulo p we see that —1 is also not a power 
of 2 modulo n. The proportion of positive integers n < N with no prime factor congruent 
to 7 modulo 8 approaches 0 as iV —)■ cxo. To see this, let pj denote the ith prime number 
congruent to 7 modulo 8, starting from pi = 7, and let r be that largest integer such that 
Pr < N. Using the principle of inclusion-exclusion, the number of integers between 1 and N 
not divisible by any pi is exactly: 



where 4fl denotes the number of element of the set /. This sum is at most 



which is in turn less than or equal to 



Each sum can be factored as follows 



By Mertens’ Third Theorem (see for example Theorem 429 of [11]), we have 



and 



since Hi (^1 - = 0(1). Hence 

(31) 




Pi 


To complete the proof we show that the hrst term on the right-hand side —)■ 0 as iV ^ cxo. 
We have 
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log n 


1 - 


Pi, 


< log ( n ' 


,-i/Pi 1 _ 




Pi 


A theorem of Dirichlet (see for example Exercise 7.6 of [3]) implies that this sum is un¬ 
bounded as —)■ oo, and so ](([. —?■ 0 as —)■ oo. Plugging this into (31) we see 


that ( 7 Ar —)■ 0 as well, a 


6. Proof of Theorem 4.1 


Recall that we write k for the number of times that n is divisible by two, i.e. n = 2^s 
where s is odd. Dehne a = 2^ , and, for each 1 < a < |, 


(32) 


Ca 


2cos(f) 

cos(^) 


, if 
, if 


n 

gcd(a,n) 

n 

gcd(a,n) 


is not a power of 2 
= 2A 


Likewise dehne Sa as above but with cos replaced by sin. Then 
(33) cos ^j = CaQ;“'^“ and sin j 

where is dehned in equation (23). 

For now, we consider the number held K = Q({ca, Sq : 1 < a < f},a) and its ring of 
integers Ok- Later we will see that it is possible to work with a smaller held (the fraction 
held of Rn n M) and its ring of integers. 


Lemma 6.1. For each 1 < a < |, both Ca and Sa are algebraic integers coprime to a. 
Moreover, when is a power of 2, both Ca and Sa are units. 

Proof: The minimal polynomial of a over Q is —2 = 0; hence a is an algebraic 
integer. Furthermore the norm N^aOx) in Ok is a positive power of two. We now show 
that Ca and Sa are algebraic integers (and hence in Ok) with N{caOK) and N{saOK) both 
odd and hence relatively prime to N{aOK)- This implies that a and Cq are coprime and that 
a and Sa are coprime. 

It is not hard to see that — 7?—7 is a power of two if and only if ,, L -r is. Using this 

fact we see that Sa = C(a_a), and so we need only consider in the rest of the proof. 

First suppose is not a power of 2, so Ca = CIn + where ( 2 n is a primitive 2nth 

root of unity. Let /i = The norm of (/i -|- p,~^)Ok equals the norm of (/i^ -|- 1 )(Pa', 
since the norm is multiplicative and the norm of p,Ok is one. The norm of + 1)Ok is a 
power of the constant coefficient in the minimal polynomial for + 1 over Q. This minimal 
polynomial is $d(x — 1) where d = —rr —7 and <I>d is the dth cyclotomic polynomial, whose 
roots are exactly the primitive dth roots of unity. It is well known that <hrf(— 1) is odd if d is 
not a power of 2 , but we give a short proof here for the sake of completeness: 

Theorem 6.2. If d > 3 is not a power of 2, then $^(±1) is odd. If d = 2^ for k>2, then 

$d(±l) = 2. 

Proof: li d = 2^ for /c > 2, then since $ 2 '= ( 2 ^) = 2 :^*’ ^ -|- 1, the result immediately follows. 
Thus, we assume that d is not a power of 2. 

For any integer n > 2 and prime p, every root of ^np{x) is also a root of <I>„(a;^). If p 
divides n, then the degree of <I)„p(a;) is p<p{n) [ip is the Euler (^-function), which is also the 
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degree of Since every cyclotomic polynomial is monic and has no repeated roots, we 

see that the two polynomials are identical. 

If p does not divide n, then the degree of $np(3^) is {p — l)</?(n), but the roots of 
are roots of that are not roots of <h„p(x). By comparing degrees again, we see that 

^np{x) = <h„(a;P)/<h„(x). 

To prove the theorem, we proceed by induction on the number of prime factors of d 
(counting multiplicity). If d is prime, then it is odd, and since <hd(x) = + ... + x + 1, 

we conclude that = d and <hd(—1) = 1. In general, write d = np for some odd prime p. 

If n > 2 and p divides n, then $^(±1) = <h„(±l) is odd by induction. If n > 2 and p does 
not divide n, then $^(±1) = <h„(±l)/<h„(±l) = 1, which is odd. If n = 2, then $^(1) = 1 as 
before, but 1) = 1) = = P; which is odd. a 

Hence N{{pi + p~^)Ok) is also odd, since it is a power of an odd number. 

Next suppose = 2^ for some j. Note that 1 < a < | implies j > 2. To show that Ca 

is an algebraic integer it is sufficient to show that it is the root of a monic polynomial with 
algebraic integer coefficients. Let y = 2cos(a7r/n) and note that f{y) = 0 where 

" -^ 

iterated j — 1 times 

(which can be seen using the double angle formula and the fact that = 2^). By a 

straightforward inductive argument we see that this is a monic polynomial of degree 2^~^ 
with constant coefficient 2 and where every coefficient except the leading one is divisible by 
two. Write 

f{x) = ^ + 2 + 2 ^ biX^ 

i=l 

where each bi is an integer. Substituting f{y) = /(ca2^^ ^) = 0 and dividing through by 2 
gives 

+ 1 + Z = 0 

^=1 

which shows that Cq is the root of a monic polynomial with algebraic integer coefficients. 
Hence Ca is an algebraic integer. We establish that it is coprime to a by showing that its 

h 0 7 1 * 

norm is 1. First note that 22 j-i has minimal polynomial x — 2 and, since = 2-^, 

2cos(a7r/?7,) has minimal polynomial $ 2 ^( 3 ^ ~ 1) (over Q). Letting D be the degree of the 
extension K we then have (by multiplicativity of the norm) 

2^ = N{2cos{a7r/n)OK) = N{2^ OK)N{caOK) = 2^N{caOK). 

Hence N^CaOx) = 1 and therefore Cq is a unit and coprime to a. a 

The following Theorem differs from Theorem 4.1 in that jS is replaced by a. 

Theorem 6.3. Let U ^ Qn and consider its Bloch sphere representation U. Suppose U ^ C, 
and let {oi,..., am} and {pi,... ,Pm} be the parameters from a decomposition of U of the 
form given in Lemma 3.1. Let N = Yhilai- Then 

(a) Each nonzero entry ofU can be written as a quotient w/a'", where r is a nonnegative 
integer and w is an algebraic integer that is not divisible by a. 
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(h) The maximum such r which appears in any entry of U is N. Exactly two rows of U 
contain an entry of the form w/a^, with w coprime to a. 

(c) There is exactly one row of U that does not contain an entry of the form w/a^. The 
maximum value ofr appearing in that row is N — qa^; it contains an entry of the form 
where w is coprime to a. If it is the ith row, then pi is the ith entry in the 
list {x, y, z}. 

Proof: Let a decomposition (14) for M = U he given, with m > 1. 

If m = 1, then M = R^C for some rotation axis p G {x,y,z}, Clifford C and power 
1 < a < |. One row of M will consist entirely of zeroes and ones, in exactly the way 
described in the last item in the theorem, and the other two rows will have entries that are 
either zero or cosavr/n or sinavr/n. Thus, it suffices to prove that cosoTr/u and sina7r/u are 
of the form tn/o!'?'*, where w is an algebraic integer coprime to a. This follows directly from 
equation (33) and Lemma 6.1. 

We now suppose m > 2 and proceed by induction on m. Let 

m 

i=\ 

where M' = (nr= . 2 Rpi)C. We assume that pi = z - the other two cases are symmetrical. 
We know that the matrix R^ has the following form: 

tn3/Q;^“i 0 j 

0 0 ij 

where Wi is an algebraic integer coprime to a. If ri, r 2 , and r^ are the three rows of M and 
r(, r^, and rg are the rows of M', we have: 

ri = {wi/a‘^°'^)r[ + (tn2/a^“0^2 

F2 = (tn3/a'^“i)r( + (tn4/a'^“i)r2 
rs = r^ 

Since the entries in each r' can be written in the form for some algebraic integer 

w, it follows that the nonzero entries of each r* can be written in the form w'/a^ for some 
algebraic integer w'. It is also immediately evident that the entries in r 3 can all be written 
in the form for some algebraic integer w, and that there is an entry of the form 

for some algebraic integer coprime to a. 

To complete the proof we show that both ri and r^ contain entries of the form v/a^ where 
V is coprime to a. There is some entry e in one of r[ or that is of the form for 

some algebraic integer coprime to a, and the corresponding entry / in the other row (r^ or 
r[) is of the form w' /for some algebraic integer w' (possibly not coprime to a, or 
even zero). Any linear combination (s/Q:'^“i)e + (f/Q:^“i)/ (where s and t are algebraic integers 
coprime to a) can be written in the form v/a^, where v = sw + a'^^-^tw' is an algebraic integer 
coprime to a. To see why v and a are coprime note that 

vOk + o:Ok = swOk + a‘^°“^tw'OK + oiOk = swOk + oiOk- 

Now sw and a are coprime since s and w are both coprime to a. Hence 


vOk + aOx = swOk + oiOk = Ok 
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and therefore v and a are coprime. x 

To complete the proof of Theorem 4.1 we have to show that a can be replaced by [3 (given 
by (23)) in the statement of Theorem 6.3. Note that when /c = 1 we have a = f3 so take 
k >2. In this case n = 2^s with 1 < s < ^ and 

P 

- = Cs 

a 

where Cg is given by (33) and = 2^. Applying Lemma 6.1 we see that c* is a unit. 

Since a/(3 is a unit, an algebraic integer is divisible by a if and only if it is divisible by 13. 
Likewise the ideal generated by a is equal to the ideal generated by (3 and so coprimality to 
a is equivalent to coprimality to /3. Hence a can be replaced by (3 in the statement of the 
above Theorem. Finally, note that since every element of Qn has entries in R„ fl M and (3 is 
also in this ring, the algebraic integers w appearing in the Theorem are in the ring of integers 
of its held of fractions. We can therefore work in this held of fractions and the corresponding 
ring of integers 


7. Proof of Theorem 5.1 

We divide the proof into three parts. 

• Part 1; We show that U G 172 (R-n) satishes U G if and only if the hrst column of 
t/ is a hrst column of some element of Qn (Lemma 7.1). 

After proving Part 1, it remains to prove that any normalized vector {x,y)'^ G Rn (i-c., a 
vector satisfying \x\^ + \y\^ = 1) appears as the hrst column of some unitary in Qn- We prove 
this as follows: 

• Part 2: We dehne a complexity measure function fi{x,y) which assigns an integer 
to every vector {x,y) G Rn- We show that any normalized vector with small enough 
complexity measure (less than or equal to some value fin) appears as the hrst column 
of some element of Qn (Lemma 7.4). 

• Part 3: Finally, we show that the complexity measure of a normalized vector (x, y) 
can be reduced by applying unitaries from Qn- Specihcally, there exists a sequence of 
unitaries Vi,... ,Vm & Gn such that 

( 34 ) 

satishes fi{x 2 ,y 2 ) < hn (this follows directly from Lemma 7.6). 

Note that parts 2 and 3 together imply that (x, |/)^ appears as the hrst column of some 
unitary in Qn- Let (x 2 ,|/ 2 ) and Vi,... ,Vm be the vector and unitaries from Part 3. Part 2 
guarantees that there exists W ^ Qn with hrst column (x 2 ,i/ 2 )^- We see from equation (34) 
that 

v,K..v^ 

has hrst column given by (x, y)'^ and is an element of Qn- 

^Note that for the rings in this paper, the notions of divisibility and coprimality do not depend on the 
choice of ambient ring. In particular, every extension of rings considered in this paper is integral, so that 
divisibility and coprimality in the smaller ring are equivalent to the corresponding notions in the larger ring. 
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While our results in parts 2 and 3 are specific to the cases n G {2,4, 6, 8,12}, we establish 
part 1 under the more general assumption that, writing n = 2^s with s odd, there exists a 
positive integer t such that 2* = —1 (mod s). 

Part 1 


Lemma 7.1. Factor n = 2^s where s is odd. Suppose there is some positive integer t such 
that 2* = —1 (mod s). Then U G U 2 (Rn) is an element of Qn if and only if the first column 
of U is a first column of some element of Qn- 

Proof: Suppose U G 1/2 (R-n) has the same first column as some unitary V G Qn- We shall 
prove that U is an element of Qn- We can always write 


U 


X —\ 

y x*e'‘^ J 


V 


X —y*e^^ \ 

y x*e''^ J 


from which we see that U = VUz{4> — 0). Since V E Qn'Vfe need only show that Uz{4> — 6) G Qn- 
U and V have determinants and e*® respectively, which implies e*®, G Rn- Applying 
Theorem 5.3 and using the hypothesis that t exists satisfying 2* = —1 (mod s) we see that 
both and are powers of ( 2 n- So Uz{(j) — 9) is a power of Uzin/n), and therefore an 
element of a 


Part 2 

We use the notion of p-adic valuation in order to define a complexity measure for vectors 
with entries over R^. 

Definition 7.2. Let I he a fractional ideal in the ring of integers Ok of a number field K and 
let p be a prime ideal in Ok- U ® factorization of I, then the p-adic valuation 

of I, denoted as Vp (J), is egual to m. For any x from K we define Up (x) = Up (xO/c)- We 
also use the convention Up (0) = cxo. 

It is well known that the p-adic valuation satisfies 
(35) Up {xy) = Vp (x) + Vp {y ), 

and non-negative for any algebraic integer x or integral ideal /. 

We work in the fraction field of R„, which is the cyclotomic field Q(C2n)- Rs ring of integers 
is 'L[C,2n\- For the values n = 2,4,6,8,12 which we consider here, there is a unique prime 
ideal p in Z[^2n] which contains 2 (this follows from Theorem 2.13 in [27]). We use the p-adic 
valuation with respect to this prime ideal; from now on p always refers to this ideal. In fact, 
in the cases n = 2,4, 6, 8,12, the ring of integers Z[(^ 2 n] is a principal ideal domain and so p 
is generated by a single element of 'L[C,2n\ which we denote by fn- 

We now use these special facts about p to derive some additional properties of the p-adic 
valuation which hold in our case. Firstly, we establish that x G R„ is an algebraic integer 
if and only if it has non-negative p-adic valuation. Let ns show that if x G R^ is not an 
algebraic integer then it has negative p-adic valuation. In this case x can be written ^/2^ 
for 2 ; from 'L[C,2n\ not divisible by 2 and positive integer k. Note that it must be the case 
that Vp (z) < Vp (2), because otherwise 2; would be in p'"'^^'^'^'L[C,2n\ = 2 Z[^ 2 n]- This implies that 
Up (x) is equal to (xp {z) — kvp (2)) < 0. 
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Now we show that the above implies that any a; G can be written 


(36) 


X = 


y 


-Vp{x) ■ 


with y G 1‘[C2n] and y ^ p. In other words the p-adic valuation is equal to minus the 
“denominator exponent” with respect to To see why (36) holds, dehne y = 
hnd that Vp {y) = 0 and y ERn, and conclude that y is in 1<[C2n\ but not in p. 

Now using (36) we derive the following property which holds for all x,y E R„: 


(37) If Vp (x) < Vp (y) then Vp (x + y) = Vp (x). 

To see this, write x = and y = with r > s and z,w ^ p. Then x+y = (z+tc^”“^)/^” 
and z + ^ p. Finally, note that since p is the only prime ideal containing 2 and complex 

conjugation is an automorphism of h[C 2 n] we have p = p*. The fact that p is a prime ideal 
containing 2 implies that p* is also a prime ideal containing 2. They must coincide since p is 
the only prime ideal containing 2. This implies: 

(38) Vp (|x|^) = Vp (x*) + Vp (x) = 2vp (x) 

for all X E R„, which follows because xZ[C, 2 n] = P^HiPr* implies x*'E[( 2 n] = P™'ni(Pi)™'* 
and no p* is equal to p. 

In the remainder of the proof we will often use the properties of the p-adic valuation 
described in equations (35), (37), and (38). We now dehne the complexity measure for 
vectors with entries in R„. 


Definition 7.3 (Complexity measure). Let n G {2,4, 6, 8,12}. For x,y G Rn we define 

y) = - min(np (x), Vp {y)). 

Now we show that every normalized vector with a small value of the complexity measure 
is a hrst column of some element of Qn- Dehne 

/in = Vp{i + 1). 

Lemma 7.4. Let n E {2,4, 6, 8,12}. Suppose (x, y) E R„, |xp -f |//p = 1, and /i(x, y) < yn- 
Then there exists V E Qn with first column (x,//)^. 

Let (x,//) be given satisfying the hypotheses of the Lemma. Then x' = x{i + 1) and 
y' = y{i + 1) are elements of TJfi 2 n\ (and satisfy |x'p -|- |//'p = 2). To see why they are 
elements of Z[^ 2 n], use the fact that Vp (x') > 0,np (y') > 0 and the fact that an element of 
R„ is an algebraic integer if and only if it has non-negative p-adic valuation. To prove the 
Lemma it is therefore sufficient to show that (x', y')/{i -|- 1) is a hrst column of some element 
of Qn whenever x', y' E 'Tj[C, 2 n\ satisfy |x'p -|- \y'\^ = 2. In the following we establish that every 
such pair is described by one of the following three cases 

• Case 1 (x',//') = (C 2 n,CL) for some integers j, /. 

• Case 2 {x',y') = ((/ -|- 1)CL) 0) some integer j. 

• Case 3 (x',//') = (0, (/ -|- l)C 2 n) some integer j. 


^ In [22] the denominator exponent with respect to ^4 = 1 -I- was used to establish results on two qubit 
circuit synthesis over the Clifford-|-T gate library. Here we use the notion of p-adic valuation as its properties, 
as well as algorithms for its calculation, are well known from the computational number theory literature. 
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Before we justify this classification, let us pause to show that in each of these three cases 
{x,y)^ is the first column of a unitary V G Qn- In cases 2 and 3 we can take V = 
which is an element of Qn (as can be seen from equation (12)). In case 1, take 

'' = ( 1(11 ijj + J>/n). 

where Hq is given in equation (2). Since each term in the above product is in Qn we have 

It remains to establish the above claimed classification of pairs (x', y'). To this end, we use 
a map defined on elements of Z[C 2 n] as 

d 

G{x) = \(Jm{x)\^ 

m=l 

where {ui,..., is the Galois group of Q(C 2 n)- Note that G{x) is zero if and only if x is 
zero. The second property of G which is crucial for our proof follows from the inequality 
between geometric and arithmetic averages: 

( d \ d 

nkm(a^)n <2'^Wm{x)f = ^G{x) 

m=l / m=l 

where Nq{x) is the norm of x over Q relative to Q(C2n). The equation |a;'p+ ||/'p = 2 implies 
iG {x') + 1G iy')=2 since 2 is invariant under every element of the Galois group. From the 
above equation we see that \G{x) is greater than or equal to 1 for non-zero x. If neither x' 
nor y' is equal to zero then this implies that (iG {x '), ^G (y')) = (1,1) (since they must sum 
to two and each is at least one). So the only possible values of (^G {x '), ^G (y')) are (1,1), 
(2,0) and (0,2). When ^G(x') = 1 the inequality between G(x') and |iVQ(x')|^ must in fact 
be an equality because |iVQ(a:)|^ > 1 for non-zero x. Therefore in this case \am {x') P = 1 
for all m = 1,..., d, and it is well known that this implies that x' must be equal to 
some integer j. So in the case where (^G (x'), ^G {y')) = (1,1), both x' and y' are powers 
of C 2 n- In the case when (^G {x '), ^G (?/')) are (2, 0) or (0, 2) we have |x'p = 2 and y' = 0 or 
ll/'P = 2 and x' = 0 respectively. Gonsider the case where \x'\‘^ = 2 and y' = ^ (the other case 
is symmetric). Then x '/(i -I- 1) G has absolute value 1. Note that each n G {2, 4, 6, 8, 12} 
satishes the hypothesis of Theorem 5.3 (with s = 1,1, 3,1, 3 and t = 1,1,1,1,1 respectively), 
and applying this Theorem we see that x'/{i -|- 1) is a power of C, 2 n- * 

Part 3 

Our goal in this part of the proof is to show that, if //(x, y) > fin, then the complexity measure 
can always be reduced by applying a unitary from Qn (this is Lemma 7.6). Our strategy is 
to show that one can work “modulo 2” in a sense that we make precise below. In this way 
we reduce the problem to a finite number of cases which can then be checked on a computer. 

Let us now dehne what we mean by working mod 2. Any x' G '^[C 2 n] can we written using 
an integral basis of Z[^ 2 n] as X]fc=o^fcC 2 n) lor d = ip{2n) (where (f is Euler’s phi function) and 
with each Xk an integer. We dehne 

d-l 

x'mod 2 = E (xfcmod 2) C2„. 

k=0 
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where for an integer x G Z, xmod 2 denotes 0 or 1 in Z, rather than in Z/2Z. 
The mod 2 function has the following basic properties 


[x + ^)mod 2 = ((xmod 2) + (ymod 2)) mod 2 
(a;^)mod 2 = ((xmod 2) • (ymod 2)) mod 2 
((xmod 2)*) mod 2 = a;*mod 2 
|xmod 2|^mod 2 = |a:|^mod 2 

2 

which can be checked by writing x + y,xy,x* and |a:| = xx* in terms of the coordinates of 
X, y in an integral basis. 

In the following we shall also repeatedly use the following relation between Vp [x') and 
Vp (x'mod 2): 

(39) min (up (x'), Tp (2)) = min (up (x'mod 2) , Vp (2)) 

To see that above is true hrst we note that for any m, v from Z[( 2 n] such that m — n G 2Zl(2n] 
and Vp (u) < Vp (2) we have Vp (u) = Vp (v); second we note that x' — (x'mod 2) G 2Z[(^2tt\- 
The following Lemma, which is proven using a computer program, is the key to our proof 
of Lemma 7.6. 

Lemma 7.5. Let n G {2,4, 6, 8,12}. Suppose (a, b) G Z[C, 2 n] mod 2 satisfy Vp (a) = Vp {b) = 0 
and |af + \bf mod 2 = 0. Then there exists an integer k E {1,..., 2n} such that 

Vp {a + C 2 „&) > Vp (2) /2. 

Proof: The set 

Sn = {x e Z[<f2n] mod 2 ; Vp (x) = 0} 

is hnite and so one can in principle directly check the statement of the Lemma by exhaustively 
considering pairs of elements a, b from Sn using a computer. It is possible to simplify things 
using the following observation. For each x G Z[^ 2 n] dehne c{x) = min k = 1,..., 2n) 

where the minimum is taken with respect to some ordering (in practice, we use the lexi¬ 
cographic ordering on vectors of integers, applied to the representation of x in an integral 
basis). Since Up (x) = Vp (xCln) for fol k and \xC, 2 n\ — one can instead exhaustively 
consider pairs of elements a, b from the smaller set s'^ = {c{x) : x G Z[(' 2 n]mod 2, Vp (x) = 0}. 
In Figure 1 we provide a MAGMA script which verihes the Lemma using this strategy, n. 
Finally, we prove: 

Lemma 7.6. Let n G {2,4,6,8,12} and suppose x,y G R„ satisfy -|- ||/p = 1 and 
y{x,y) > pin- Then there exists an integer k such that 

y{ck,dk) < y{x,y). 

where 

{Z)= ( y ) ■ 

Proof: Recall that (since Z[C, 27 i\ is a principal ideal domain for the values of n we consider) 
p is generated by a single element ^n- Dehne x' = and y' = Without loss of 
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generality we can assume that Vp {x) = y) and thus Up [x') = 0. Then 

(40) Vp + \y'\^^ = Up = 2/i(x, y) > 2/i„ = Up (2) > 0. 


where in the last inequality we used the fact that p contains 2. Now using (37), (38), (40), 
and the fact that Vp (|t'P) = 0 we see that Vp {\y'f) = 0 and hence Vp {y') = 0. Thus 

(x, y) = y') with Vp (x') = Vp {y') = 0. 

Using this fact we get 


dk 


i(l + j)?-"'''"’ 


x' + y'CL \ 
x' - y'CL ) 


and so 

/i(cfc, 4) - h {x, y) = Vp{l-i)- min (up (4 + C,Ly') , Xp {x' - C^ny')) ■ 

To prove the Lemma we have to show that the right-hand side of this expression is strictly 
negative for some k. To this end, it is sufficient to show that Vp {x' -|- Cinl/O > (1 “ 0 = 

Vp (2) /2. To see this, observe that 

^^P {{x' + CLy') + {x' - CLy')) = xp (24) = up ( 2 ) 

and so if Vp [x' -|- C:L4) > '^p (2) /2 then (37) implies Vp {x' — QnV') > "^p (2) /2 as well. 
Finally, to show that Vp {x' -|- Cln^/O ^ Xp (2) /2 (for some k) it is sufficient to show 

(41) Vp (4mod 2 -I- 2) > Vp (2) /2 

(for some k). To see why this is sufficient, use (39) and the fact that 


(4 + C2n4) niod 2 = (4mod 2 -|- (^ny^xxod 2) mod 2. 

Now let a = 4mod 2 and b = |/'mod 2. Since Vp (x') = Vp (y') = 0, equation (39) shows that 


Vp (a) = Vp (b) = 0. 


Furthermore 

(|a|^ -I- \bf) mod 2 = |4|^ -|- |4|^niod 2 = 0 

The last equality follows from the fact that |4|^-|-|4|^ £ 2Z[4n] which follows from Vp (|4|^ -|- \y' 
Vp (2) (which is shown in (40)). The pair (a, b) therefore satishes the hypotheses of Lemma 7.5 
and applying that Lemma we get that there exists an integer k satisfying (41). a 


8. Proof of Theorem 5.3 

Recall that n is even, R„ = Z[4n, 1/2] C C, and T„ = R„ fl M. Write Ur and Ur for the 
unit groups of R„ and Tn, respectively. 

Theorem 5.3. Factor n = 2^s, where s is odd, and suppose that there is some positive 
integer t such that 2* = —1 (mod s). Then the set 

S' = {r G Rn : |f| = 1} 

of elements of Rn with complex absolute value 1 is equal to the set of roots of unity in Q(C 2 n); 
that is, 

(30) R = {e^ :j e{0,...,2n-l}} 

Conversely, if there is no such positive integer t, then the set S contains an element of infinite 
order. 
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check := functioii(n) 

C<w>:=CyclotomicField(2*n); 

Cl:=Integers(C); 

PrimeldealsAboveTwo := DecompositionCCI,2); 
assert(#PrimeIdealsAboveTwo eq 1 ) ; 
p:=Place(PrimeldealsAboveTwo[1,1]); 
twoValuation := func< x | Valuation(x,p) >; 

Z: =RingOfIntegersO ; 

mod2 := func< x | Cl![ Z!y mod 2 : y in Eltseq(x) ]>; 
c := func< u | CI!Min([ Eltseq(mod2(u*w''k)) : k in [1..2*n]]) >; 

Elt := func< a | Cl![x : x in a] >; 

sprime:=Set([ c(Elt(x)) : x in CartesianPower([0,1].Degree(Cl)) I 
twoValuation(Elt(x)) eq 0 ]); 
abss := func< x | x*ComplexConjugate(x) >; 

S:=[ [x.y] : x in sprime, y in sprime | mod2(abss(x)+abss(y)) eq 0 ]; 
checkcase := func< u,v | exists{ true : k in [1..2=i'n] | 
twoValuation(mod2(u+v*w''k)) gt twoValuation(2)/2 } >; 
return &and[ checkcase(p[1],p[2]) : p in S ]; 
end function; 

check(2),check(4),check(6),check(8),check(12); 


Figure 1. MAGMA script that verifies that Lemma 7.5 is true. This script 
can be executed online at http://magma.maths.usyd.edu.au/calc/. 

The central idea of the proof of this theorem is due to Shastri ([25], Theorem 1.1). However, 
the details work out somewhat differently in our situation than in hers. 

Proof: First, note that the set of roots of unity in R„ is the same as the set roots of unity 
in Q(C 2 n), which is precisely the set of powers of ( 2 n- Thus, since the set S' is a group under 
multiplication, if we show that S is finite, it must consist precisely of the roots of unity 
described in the statement of the theorem. 

It remains to establish that any r = a + G R„ satisfying |r| = 1 is a root of unity if 
and only if there is an integer t such that 2* = —1 (mod s). For this part of the proof we 
may assume without loss of generality that n is a multiple of 4, since 'L[C 2 n, 1/2] is contained 
in 1^[Csn, 1/2], and the value of s is the same for 2n and 8n. For the rest of the proof we 
therefore assume that R^ = 1>[C2n, 1/2], where n is a multiple of 4. 

Let Tn be the ring = R,^ fl M and let be the fraction field of R„. Since a and b are 
elements of Tn satisfying + 6^ = 1, r = a + 6Ms an element of the kernel of the norm map 
N: Kn —)■ Kn n M, given by 

N{a + bi) = (a + bi){a — bi) = + b'^ = \a + bi\‘^ 

Note that A^ is a multiplicative homomorphism from Un to Ut- 

The Dirichlet Unit Theorem computes the unit group of rings like R„ and Tn- To state 
it, we will need some preliminaries about embeddings of R„ in C. For any number field L, 
let ri be the number of homomorphisms from L to M, and let ri + 2r2 be the number of 
homomorphisms from L to C. (The extra coefficient 2 comes from the fact that complex 
embeddings come in conjugate pairs, if they are not real embeddings.) It is known (see for 
example [19], page 30, the discussion before Proposition 5.1) that ri + 2r2 = [L : Q]. 
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We reproduce here the specialization of the general Dirichlet Theorem to the case we need 
- see [19] for the general case. 

Theorem 8.1 ([19], Proposition VI.1.1). Let L be a number field. Let A be the ring of 
integers of L. The group of units of the ring A[l/2] is isomorphic to p. x ^ where 

p is the group of roots of unity in L, and y is the number of prime ideals of A containing 2. 

Note that R„ is the ring R[l/2] with A = T^[C 2 n\, and Tn is the ring [A n M)[l/2], so the 
theorem applies to both rings. 

Definition 8.2. Let M be an abelian group isomorphic to G x Z™', where G is a finite group 
and m is a non-negative integer. The rank of M is defined to be m. 

Note that isomorphic groups have the same rank, and that every hnitely generated abelian 
group is isomorphic to a group of the form G x Z™. Intuitively, an abelian group of rank m 
is like a vector space of dimension m. In particular, if 0: Mi —)■ M 2 is a homomorphism of 
abelian groups of rank mi and m 2 , respectively, then rank(ker0) +rank(im0) = rank(Mi) = 

mi. 

Since R„ cannot be embedded in M (it contains i), all of its complex embeddings are 
non-real. The Dirichlet Unit Theorem says that the the group Lfn of units of R„ has rank 
L + [Q(C 2 n) : Q]/2, where L is the number of prime ideals of T\C, 2 'n\ that contain 2. The ring 
Tn, by contrast, admits no embeddings in C that are not contained in M, so the group Ut of 
units of Tn has rank i [Q(C 2 n) HM : Q] = .^-|- [Q{C 2 n) '■ Q]/2, where i is the number of prime 
ideals of Z[(^ 2 n] H M that contain 2: 

rank(Uij) = L + [Q(C2n) : Q] 
rank(Ur) = i + [Q(C 2 n) : Q] 

For every b G Ut, we have N{b) = |6p = U E N{Ufi). By the Dirichlet Unit Theorem, if 
m = rank(f/T), then there are units hi,... ,hm such that the group Ut is the set {whfi ... h^} 
where w is a. root of unity and the a* are arbitrary integers. The image N{Ur) contains the set 

which also has rank m. Since N{Ur) is a subgroup of Ut, it therefore 
has rank exactly equal to m = rank(f/T): 

rank(iV(U/j)) = rank(f/ 7 ’) = m 

If |r| = 1, then r is an element of the kernel of N. If we can show that the kernel of N 
(restricted to Ur) is hnite if and only if —1 is a power of 2 modulo s, then we are done. 

The rank of Ur is L -|- [Q(C 2 n) : Q]/2. The rank of N{Ur) is equal to the rank of Ut, which 
is £ -1- [Q{C 2 n) ■ Q]/2. li L = £, then the rank of Ur and the rank of N{Ur) will be equal, so 
the rank of the kernel of N must be zero, implying that the kernel of N is hnite. li L ^ £, 
then the kernel of N will have positive rank, and there will be an inhnite number of elements 
of R„ of absolute value 1, and in particular inhnitely many of them will not be roots of unity. 
Thus, we wish to prove that L = £ ii and only if —1 is a power of 2 modulo s. 

Consider the ring B = Ufis\- A minimal polynomial for C, 2 n over B is -|- C,s. This is 
because the degree of C, 2 n over Q is ipifln) = = 2^ip{s) = 2 *'[Q(C 5 ) : Q], so -|- Cs 

has the smallest possible degree amongst nonzero polynomials with coefficients in that 
have ( 2 n as a root. 

If P is any prime ideal of Ufis] with 2 G P, then modulo P, we have (for some z' G 
U\fif\/P) x‘^ -i- z = {x + (mod P). Prime ideals of 'Z[( 2 n\ containing P are in one-to-one 
correspondence with irreducible factors of -£ z modulo P. Thus, for every prime ideal P 
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of Z[(s] with 2 G P, there is exactly one prime ideal of Z[(2n] containing P. Since any ideal 
of Z[(2n] containing 2 must contain exactly one prime ideal of Z[Cs] containing 2, we see that 
the prime ideals of Z[C2n] containing 2 are in one-to-one correspondence with the prime ideals 
of 1^[Cs] containing 2. 

Let 7n = Cn + Cn We will now show that the prime ideals of ^[7^] containing 2 are in 
one-to-one correspondence with prime ideals of Z[72n] containing 2. 

To do this, we will show that for any integer c > 3, the prime ideals of Z[7c] containing 
2 are in one-to-one correspondence with the prime ideals of Z[72c] containing 2. A simple 
induction will yield the desired result. 

If c is odd, then = Z[72c] since % = —72c- Thus, we assume that c is even. 

Notice that 7!^ = (C2C + = Cc + + 2, so: 

7L = 7c + 2 

A minimal polynomial for j2c over Q(7c) is therefore — (% + 2). If P is a prime ideal 
of Z[7c] with 2 G P, then — (% -l- 2) is a square modulo P (indeed, it’s congruent to 
(x — 72 c)Since the prime ideals of Zlj 2 c] containing P are in one-to-one correspondence 
with the irreducible factors of x^ — (7c-|-2) modulo P, there is exactly one prime ideal of Z[7c] 
containing P. Thus, as in the case of (2n, we see that the prime ideals of ^[720] containing 2 
are in one-to-one correspondence with the prime ideals of Z[7c] containing 2. 

The rings ^[7^] and Z['y2n] have the same number of prime ideals containing 2, and the 
rings and 1j[C2n] have the same number of prime ideals containing 2. Thus, L = i and 
only if the rings Zljg] and ^[Cs] have the same number of prime ideals containing 2. 

Let P be a prime ideal of '^[js] with 2 G P. We will compute the number of prime ideals 
of Z[(s] containing P. 

Such prime ideals correspond one-to-one with irreducible factors modulo P of a minimal 
polynomial for (s over Q(7s). This polynomial is — 'jgX + 1. Since 7* is a unit in the 
ring Z[7s], it cannot be an element of P. Therefore, the polynomial x‘^ — -|- 1 cannot be 

a perfect square modulo P. Thus, modulo P, the polynomial — y^x -|- 1 either has two 
coprime linear factors, or else it is irreducible. In other words, there are two cases: 

• There are two prime ideals Qi, Q2 of Z[(s] containing P, with Ij[(^s\/Q = Z[7s]/P = P 
(“P splits”), or else 

• There is a unique prime ideal Q of containing P, satisfying Z[(Cs]/Q isomorphic 
to a degree two extension of P (“P is inert”) 

We will show that L = ^ ii and only if P is inert in Z[Cs]- 

Let Q be any prime ideal of 1^[Cs] containing P, and let P be the held 'L[(^s\/Q- We see 
that P splits if and only if P = P. 

Let m be the degree of P over the held F2 with 2 elements. Then m is the multiplicative 
order of 2 modulo s. To see this, notice that a held of order 2"* contains a primitive sth 
root of unity if and only if 2™ = 1 (mod s) - elements of ¥2-^ are the roots of x^"* = x, 
and Cl = 1. The smallest positive integer m satisfying that congruence is precisely the 
multiplicative order of 2 modulo s. 

The held P is generated over F2 by the element y^ (or, more precisely, by its reduction 
modulo P). We have P = P if and only if there is no nontrivial element of Gal(P/F2) that 
hxes 7s. 

The function x i-A x^ is a generator of the Galois group of P over F2, so every Galois 
conjugate (modulo P) of ys is of the form Cs +Cs~^ some integer t. If a and b are integers 
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such that Cr + C “ = Cs + C ^ (modulo P), then + Cl “) = Cs ^(Cl “ + I); implying that 
either a = —b (mod s), or else Cl~“ = 1 (mod P), which is equivalent to b = a (mod s). 
Thus, the tth Galois conjugate 'yf of 7^ equals 7^ if and only if 2* = ±1 (mod s). Since 
2* = 1 (mod s) if and only if t is a multiple of m, it follows that 7^ is hxed by a nontrivial 
automorphism of E if and only if —1 is a power of 2 modulo s. 

For every P, then, there is a unique prime ideal of Z[C<j] containing P if and only if —1 is 
a power of 2 modulo s. This conclusion is independent of P, so L = £ if and only if —1 is a 
power of 2 modulo s. Since there are elements r G S' of inhnite order if and only if L i, we 
are done, a 
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Appendix A. Algebraic number theory glossary 

In this paper, we use a number of terms and facts from algebraic number theory that may 
not be familiar to the reader. We summarize them in this section. 

Definition A.l. A complex number c is said to be an algebraic number iff there is a nonzero 
polynomial f{x) with coefficients in Q such that f{c) = 0. The number c is said to be an 
algebraic integer iff the polynomial f{x) can be chosen to have integer coefficients and leading 
coefficient one (i.e., f{x) is monic). 

By definition an algebraic integer is a root of some monic polynomial with integer coeffi¬ 
cients; however, it is a fact that the minimal polynomial of an algebraic integer over Q has 
integer coefficients. The algebraic integers are a subring of C; in particular, the sum and 
product of two algebraic integers is also an algebraic integer. Furthermore, if z is a root of a 
monic polynomial which has algebraic integers as coefficients then z is an algebraic integer. 

Definition A.2. Let b and c be algebraic integers. We say that b is divisible by c iff c is 
nonzero and b/c is also an algebraic integer. 

Definition A.3. A number field is a finite algebraic extension of Q, i.e., afield obtained by 
adjoining a finite set of algebraic numbers to Q. 

Every number field K satisfies K = Q{6) for some algebraic number 6*; the degree of K is 
the degree of the minimal polynomial of 9. 

Definition A.4. Let K be a number field. The set Ok of all algebraic integers which lie in 
K form a ring, called the ring of integers of K. 

The ring of integers Ok of a number held is a Dedekind domain, which in particular 
implies that ideals admit unique prime factorization. That is, if / C Ok is a nonzero ideal 
and I 7 ^ Ok, there is a unique factorization (up to possible reordering of the factors): 

k 

i = IlQ, 

i=i 


where Qj are prime ideals. 
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Definition A.5. Let K be a number field and I, J G Ok be two ideals which share no common 
factors in their prime factorizations. Then I and J are said to be coprime. Likewise, for any 
two elements x,y E Ok we say x and y are coprime if xOk and yOK are coprime. 

In fact, I, J C Ok are coprime if and only if / + J = Ok- 

Definition A.6. Let K be a number field of degree D and I C Ok be a nonzero ideal. The 
norm N{I) of I is equal to the number of elements of the quotient ring OkI^■ 

Note that the norm of a nonzero proper ideal (i.e., a nonzero ideal which is not equal to 
Ok) is at least 2. 

The key property of the norm is that it is multiplicative, i.e., N{IJ) = N{I)N{J). For a 
principal ideal generated by an element a G Ok the norm can be equivalently expressed as 
follows. Let c be the constant coefficient of the monic minimal polynomial of a, and suppose 
this polynomial has degree d. Then N^qOk) = |c| d" (here d always divides D). Since the 
constant coefficient of the monic minimal polynomial of a is, up to sign, the product of the 
Galois conjugates of a, this means that we can also express the norm of a principal ideal as 
N^qOk) = |ai... ad\~. (The Galois conjugates of an algebraic number a are the algebraic 
numbers cr(a), where a is a homomorphism from Q(a) to C. These are precisely the roots of 
the minimal polynomial of a.) 

Note that the norm of an algebraic number will change depending on the held K. In 
particular, if L is a number held containing K, then N^aOif) = N{aO■ In particular, 
note that the norm of the ideal 20 k is equal to 

If aOKibOK C Ok have norms which are relatively prime, then a and b are coprime. To 
see this, write prime factorizations 

ki k2 

aOK = X{Qj hOK = ^Pj 
j=i i=i 

where the norm of each of the prime factors is an integer > 2. Using multiplicativity we see 
that Pj 7 ^ Qi for all i and j since otherwise N{Pj) would divide both N^oOk) and N{hOK)- 

For further details about the norm of an ideal, see for example [19, 1]. 

Definition A.7. Let Ok be the ring of integers in a number field K of degree d over Q. 
An integral basis for Ok over Z is a set {ri,... ,rd\ such that every element of Ok can be 
uniquely expressed as an integer linear combination of {ri,... ,rd}. In other words, for every 
a G Ok, there exist unique integers ai,... ,ad such that a = Oiri + ... + a^r^. 


